[00:02.540 --> 00:08.680]  Hello, my name is Cecilia Vian. Thank you for having me here at the Crypto & Privacy Village.
[00:08.680 --> 00:15.680]  I'm here to talk about stalkerware and an incident that happened late 2019 and early 2020.
[00:20.550 --> 00:29.630]  I work as a consultant tester. I mostly do software testing with UX and security in mind.
[00:30.150 --> 00:35.290]  And I have what's called an unconventional background for my field of work
[00:36.110 --> 00:42.530]  because I have a bachelor's degree in pedagogics. That's educational psychology if you're American.
[00:42.970 --> 00:46.850]  And I have a master's degree in philosophy of technology.
[00:48.050 --> 00:56.450]  It means that I think a lot about what is technology, what are humans doing with technology,
[00:56.450 --> 01:03.710]  what are they not doing with technology, how is technology affecting us, and so on.
[01:04.850 --> 01:12.270]  Now, I live and work in Norway. It's a small country. You may or may not have heard of us.
[01:12.630 --> 01:19.760]  There's about 5.5 million Norwegians and it's a country mostly known for its
[01:20.320 --> 01:25.420]  fjords and mountains and very generous parental leave.
[01:25.520 --> 01:32.380]  But for this context, what's important is it's a country that has pretty advanced
[01:32.380 --> 01:38.420]  technological infrastructure. Most people in Norway have internet connections,
[01:38.420 --> 01:45.200]  they have smartphones, they have digital ideas, they adopt new technology pretty fast.
[01:45.200 --> 01:58.680]  We have already implemented GDPR and we have a very digital and highly coordinating banking system.
[02:00.500 --> 02:05.900]  Banks in Norway mostly don't have any offices, like physical offices.
[02:06.980 --> 02:09.740]  Banking here is done online and
[02:12.720 --> 02:18.200]  people are paying their bills online, they're receiving their salaries and pensions directly
[02:18.200 --> 02:22.720]  to their bank accounts, and people are using debit card and credit card and
[02:22.720 --> 02:31.840]  what's called digital wallets. That's commonplace. We don't really use checks,
[02:32.390 --> 02:39.700]  we don't really use cash a lot, and prepaid cards are not really in use in Norway.
[02:40.620 --> 02:48.380]  In Norway, not only the young people are online, but also older people are online.
[02:49.100 --> 02:56.000]  My grandpa is online, my great-grandmother would have been online,
[02:56.680 --> 03:05.380]  she would do all her banking online. That's now common here. Everybody is online and doing their
[03:05.380 --> 03:14.680]  banking there. We are essentially, well, you could say living the dreams of banks other places.
[03:15.240 --> 03:28.090]  It's very easy, it's efficient, but it also has some drawbacks. Now, story time.
[03:30.640 --> 03:36.220]  Late last year, I bought lunch at a grocery store.
[03:37.280 --> 03:42.800]  It's not as exciting as I try making it sound exciting, but you know.
[03:43.320 --> 03:52.420]  One of the items that I bought was a pack of tea, and I paid for this, of course, as a Norwegian by
[03:52.420 --> 04:00.060]  card. When I got home after work, I was cold, and I was tired, and my significant other,
[04:00.060 --> 04:03.980]  he's a nice person, and he wanted to make me a cup of warm tea.
[04:05.440 --> 04:18.060]  He couldn't find any tea, so he asked me, where did you put the tea I, you know, you bought? And that,
[04:18.060 --> 04:28.260]  uh, that was odd, because I hadn't told him that I bought tea, because the tea was for my office,
[04:28.260 --> 04:42.850]  it wasn't for our home. So how come he knew that I bought tea? Is he stalking me? Now,
[04:44.090 --> 04:51.290]  I guess you do have some kind of idea what stalking where stalkerware is.
[04:51.370 --> 04:57.490]  By definition, any software that allows for stalking is called stalkerware.
[04:58.390 --> 05:06.250]  But with this definition, a lot of very different things will be end up called stalkerware.
[05:06.710 --> 05:11.610]  So for clarity, I have divided stalkerware into different categories.
[05:16.870 --> 05:30.330]  First, there's the classic stalkerware. You can call it creepware, spouseware,
[05:30.330 --> 05:40.810]  theft tracking, child safety is very, it's a very positive spin on stalkerware.
[05:40.810 --> 05:51.190]  We also have something called prop tech, which is a new type for me.
[05:51.530 --> 05:57.390]  And you have to install this kind of software on hardware,
[05:58.330 --> 06:05.730]  on the victim's hardware, for instance, on a victim's phone, or victim's computer, watches,
[06:05.730 --> 06:14.890]  house, toys, their car, anything. And it can be really hard to find.
[06:15.470 --> 06:23.730]  And for people who are leaving abusive partners, the best and easiest advice given is move,
[06:23.730 --> 06:31.130]  get new devices, get rid of your old computer, get a dumb phone, start over.
[06:36.790 --> 06:45.190]  So one of the ways my significant other could have known that I bought tea
[06:45.910 --> 06:50.650]  is if he had installed some kind of stalkerware on my phone, for instance.
[06:51.250 --> 06:57.850]  But for this occasion, traditional stalkerware didn't really make any sense. It didn't quite fit.
[06:59.710 --> 07:02.930]  So what else do we have? What else could it be?
[07:04.910 --> 07:12.730]  Well, obviously, having to need to get access to someone's hardware is an obstacle,
[07:12.730 --> 07:19.570]  and it's a bit of a hassle if you want to stalk them. So naturally, stalkerware evolved,
[07:19.570 --> 07:30.880]  and we got what I called stalking as a service. Well, stalking as a service,
[07:30.880 --> 07:37.020]  you can't just invite someone to be stalked. If you tried, please let me how that went.
[07:38.000 --> 07:43.600]  But typically, the victim is encouraged to register as a service by the abuser
[07:44.760 --> 07:48.440]  because it's something fun or useful.
[07:50.860 --> 07:59.460]  And this kind of stalkerware could be camouflaged as find my phone, as something social media
[07:59.460 --> 08:10.100]  related type of app, photo apps, a lot, health app and loyalty programs. They have fun features
[08:10.100 --> 08:18.960]  like sharing by default and geotagging your pictures and tracking your whereabouts and
[08:18.960 --> 08:27.620]  sending copies of whatever you upload or register there, notifications or share the account you
[08:27.620 --> 08:36.220]  register in some way. Now, there's a lot of gray areas in this because there's so many legit
[08:37.040 --> 08:44.200]  applications and apps and services that do the exact same thing and make it really hard
[08:44.660 --> 08:55.160]  to stay private. So it's hard to tell sometimes if it's meant to be stalkerware or if it's just
[08:55.160 --> 09:07.200]  bad software. But okay. Another thing that sometimes is stalkerware as a service is
[09:08.020 --> 09:15.520]  customer loyalty programs. A lot of the times, I don't think they're meant to be stalkerware
[09:16.520 --> 09:23.320]  but they are definitely facilitating it. Now, I don't typically register for loyalty programs so
[09:23.320 --> 09:37.870]  that doesn't explain why did my significant other know about the tea. Since I didn't think
[09:37.870 --> 09:49.050]  he was trying to hurt me, I asked him, how did you know I bought tea? And he told me he got a receipt
[09:49.050 --> 09:58.430]  and I said, what receipt? Well, in the application, in the A application. A is one of the Scandinavian
[09:58.430 --> 10:07.750]  letters. And that confused me because I haven't registered in that application. I know it, but
[10:07.750 --> 10:15.690]  I didn't register. And I just had to ask him, did you register my card there? And he said, no,
[10:15.690 --> 10:26.920]  only my card. And I thought that was odd and creepy. And it put me on a sort of,
[10:28.000 --> 10:36.280]  gave me a sort of feeling that there's a new kind of stalkerware out there.
[10:36.780 --> 10:45.720]  That is a new kind of nightmare, really. Because he had enthusiastically and with no harm intended
[10:45.720 --> 10:52.200]  added his card. The card is connected to our joint account.
[10:53.580 --> 10:57.720]  And that's how he got my receipts. Let me show you.
[10:59.740 --> 11:08.720]  I, of course, had to figure this out. Is it really as bad as I think it is? So I downloaded the app
[11:11.300 --> 11:20.040]  and I added my phone number. I got a text message with some numbers in it. I typed numbers into the
[11:20.040 --> 11:35.360]  application again and voila, I was registered. Now, for this program, if you really want to take,
[11:36.240 --> 11:41.980]  use the benefits, you have to add a card, a payment card.
[11:44.070 --> 11:50.210]  It's like this. Now, I know you don't read Norwegian, so I'll explain it.
[11:51.050 --> 11:57.530]  You type in a credit card number. Then you add the month and year.
[11:58.510 --> 12:04.810]  And then you add the bank account number. As I said previously, Norwegians are all about
[12:04.810 --> 12:11.070]  online banking, so everybody has bank account numbers, probably several.
[12:13.710 --> 12:24.250]  And the bank account number, well, it says here in a little text that the account must be registered
[12:24.250 --> 12:31.890]  in your name. And ethically speaking, it definitely should be registered in your name.
[12:31.890 --> 12:35.910]  But there's no technical reason why it should be registered to your name.
[12:35.910 --> 12:40.030]  You can just add whoever you want to stock down there.
[12:44.530 --> 12:50.170]  I checked out some other programs, some other loyalty programs for the big grocery
[12:50.870 --> 12:59.190]  store chains in Norway, and at least one of the other ones had the exact same solution for this.
[13:02.490 --> 13:06.490]  And there were some other applications that you can do similar things.
[13:06.490 --> 13:13.390]  Not as smooth and super easy, but definitely has the potential for stocking.
[13:13.750 --> 13:22.650]  Now, this type of stalkerware, the third type of stalkerware.
[13:23.830 --> 13:31.330]  We are used to being tracked when we're online and, you know, Google ads that follow us
[13:31.330 --> 13:36.510]  and Facebook ads and so on. If you accidentally type baby ever at the internet...
[13:38.910 --> 13:43.850]  You can just wait for the ads forever to be about babies.
[13:47.110 --> 13:54.970]  And from a million different kind of trackers, data are being leaked and sold all the time.
[13:54.970 --> 13:58.510]  And if you take that kind of data, you can find an individual.
[13:59.170 --> 14:06.290]  But stalkerware is the other way around. You start out by knowing who you want to know more about.
[14:06.290 --> 14:11.290]  It's very personal. It's very invasive.
[14:15.680 --> 14:25.240]  In addition, this kind of stalking is physical. You can't turn it off. You can't just leave.
[14:25.900 --> 14:29.800]  And you probably don't know it's happening.
[14:33.180 --> 14:38.300]  So this is the kind of stalkerware my significant other used.
[14:38.820 --> 14:42.960]  Not by purpose. He did not know that this would happen.
[14:43.060 --> 14:49.560]  He didn't know that if I used my card that was connected to our joint account,
[14:49.560 --> 14:56.060]  the receipt would show up because he registered his card with his information.
[14:56.520 --> 14:59.900]  It just happened to be the same account number.
[15:00.240 --> 15:03.220]  Remember, you're supposed to give three pieces of information
[15:03.220 --> 15:07.880]  and he gave all three, but they choose to use only one of them.
[15:11.470 --> 15:18.910]  Other types of programs that do the same, or apps, are parking apps and toll passes
[15:18.910 --> 15:25.030]  because they track license plates. And some of the applications that I've checked out
[15:25.950 --> 15:33.990]  do realize that license plate numbers are not secret and bank account numbers are not secret.
[15:35.130 --> 15:40.890]  But quite a few of them treat this information as if it was secret.
[15:44.430 --> 15:49.010]  Now, I'm sure I haven't seen every kind of version of this.
[15:49.010 --> 15:54.710]  And if you know of a version of this kind of stalkerware that use other kind of data,
[15:54.710 --> 15:56.570]  please let me know. I'm interested.
[16:01.790 --> 16:06.770]  When I talk to people about this kind of software and the application that is
[16:06.770 --> 16:13.570]  giving my significant other my receipt, people tend to not understand the problem.
[16:13.570 --> 16:18.850]  Let me show you.
[16:19.810 --> 16:28.410]  This is me. I go to the grocery store. I buy tea. When I'm done, I pay. I take the paper receipt,
[16:28.410 --> 16:34.790]  I curl it up, I throw it in the trash. When I leave, as far as I'm concerned,
[16:34.790 --> 16:38.450]  transaction is over. We don't have a relation anymore.
[16:40.150 --> 16:48.070]  The app is a key that gives us a relation. But I don't want to have a relation with the store,
[16:48.070 --> 16:55.770]  so I don't use apps like that. However, my significant other came along and he made a
[16:55.770 --> 17:00.010]  connection. And because he made a connection, he knows about the connection. And because he
[17:00.010 --> 17:04.830]  knows about the connection, he's in control of the connection.
[17:07.660 --> 17:14.300]  As far as the store knows, he is the rightful owner of this information because he put in the
[17:14.300 --> 17:21.480]  account number. And they just don't validate this in any other way. You know the account number,
[17:21.480 --> 17:31.540]  you must be the customer. So, in case you're not sure there is a problem, I want to spell it out
[17:31.540 --> 17:38.880]  for you. First of all, I'm sure you already thought about that, okay, people that are
[17:38.880 --> 17:46.800]  hiding from violent partners or still living in abusive relationships would probably need
[17:46.800 --> 17:57.260]  to be protected from this kind of stalking and leakage of data. But also politicians, activists,
[17:57.260 --> 18:08.140]  journalists, union representatives and religious people do need to be or may need to be particular
[18:08.140 --> 18:20.920]  about their privacy. In addition to these groups, as I said before, I think a lot about humans and
[18:20.920 --> 18:28.460]  what they are and what they do and what they do with technology. I have three other groups. First
[18:28.460 --> 18:39.080]  of all, the elderly. Elder abuse is a thing. Elder abuse is when typically relatives, but also
[18:39.080 --> 18:48.740]  perhaps friends and neighbors of the elderly, when they start to be abusive to the elder person.
[18:49.500 --> 18:59.500]  In this context, perhaps they started having opinions about what should the person spend money
[18:59.500 --> 19:05.540]  on? What should grandma be allowed to buy? Should grandpa be allowed to buy so many beers?
[19:06.800 --> 19:12.120]  Should grandma be allowed to buy so much candy? You know, because she has diabetes.
[19:14.640 --> 19:21.700]  They are grown and adult and their own person with their own money.
[19:22.560 --> 19:36.140]  But they do get unwanted attention from people around them or may get that. Now, there's children.
[19:37.040 --> 19:44.800]  And children, while the smallest children will typically not have a credit or debit card to pay
[19:44.800 --> 19:51.980]  with, when children start to grow up, parents, at least in Norway, start giving their children
[19:52.800 --> 19:58.400]  debit cards with a little bit of money so they can start practice and understand
[19:59.060 --> 20:04.980]  what are money and how expensive are things and, you know, what are things,
[20:04.980 --> 20:10.080]  how does this work? Is it real or is it, you know, imaginary money?
[20:12.100 --> 20:21.060]  And children do need to be protected and have their own privacy, not only from strangers,
[20:21.860 --> 20:30.680]  but also from their parents and relatives and friends. Of course, if everybody was nice,
[20:31.190 --> 20:38.980]  children wouldn't need this, but everybody's not nice. Not every parent is nice,
[20:39.510 --> 20:49.820]  so they deserve their privacy. And then there's teenagers or young adults.
[20:49.820 --> 21:01.260]  And teenagers, they need to have their privacy protected from everyone. Parents, friends,
[21:01.260 --> 21:10.000]  strangers, relatives, employers. There's so many groups of people. They may have opinions
[21:10.640 --> 21:18.660]  and negatively affect teenagers' lives if they knew what teenagers were buying.
[21:18.660 --> 21:26.420]  Just imagine you as a 13-year-old. What if your mom got an instant notification every
[21:26.420 --> 21:37.700]  time you went to the store? Would that affect you? What if you were 16 or 19?
[21:37.860 --> 21:42.440]  In Norway, you are technically an adult when you're 18,
[21:43.620 --> 21:53.080]  but just because you got older, your parents may not be ready to let you be an independent person.
[21:57.810 --> 22:07.170]  Now, groceries. How bad can it be? I guess you already thought about the candy and the alcohol
[22:07.170 --> 22:16.290]  that I mentioned. But in Norway, you can buy the following items in every grocery store.
[22:18.390 --> 22:30.510]  Candy, alcohol, lottery tickets. How many lottery tickets should your significant other allow me
[22:30.510 --> 22:40.950]  or allow you to buy, for instance? Is that a thing? Shouldn't be. Anyways, magazines.
[22:40.950 --> 22:47.370]  You know, not everybody prefer things online.
[22:48.890 --> 22:55.510]  Tobacco. You can get over-the-counter pharmaceuticals such as painkillers.
[22:56.720 --> 23:01.090]  You can get intimate products such as tampons and pads.
[23:03.010 --> 23:10.090]  Not every girl want to share with her dad instantly when this is a needed product.
[23:11.270 --> 23:19.810]  And you can get condoms and pregnancy tests. That will be a fun conversation to have, right?
[23:21.750 --> 23:27.710]  Not in every store, but in a lot of stores, they sell what's called a morning after pill
[23:27.710 --> 23:43.110]  or an emergency contraception. I guess most teenagers, if they were caught buying this,
[23:43.110 --> 23:50.370]  it would be embarrassing. Perhaps they'll get grounded or they will have a fight with their
[23:50.370 --> 24:01.810]  parents. But some will not survive that their parents know this. And that is why teenagers
[24:01.810 --> 24:07.650]  is such a vulnerable group, because they are growing up and supposed to make independent
[24:07.650 --> 24:18.170]  choices, but are still very close and dependent on their families. So, even though I only bought
[24:18.170 --> 24:27.990]  tea, there's nothing very radical about that. I did go through the motion and thought about,
[24:27.990 --> 24:36.770]  was there something I could have done differently so that I wasn't unintentionally, but still stalked?
[24:39.550 --> 24:50.230]  And I came up with these points. First of all, if I never shared my account number with anyone,
[24:50.230 --> 24:55.800]  then I would have been safe. Unfortunately, account numbers are not secret.
[24:56.790 --> 25:05.490]  And if you want money from your employer, you definitely will have to give your employer
[25:05.490 --> 25:11.650]  an account number to transfer the money to. And your family and friends, if they want to give you
[25:11.650 --> 25:16.410]  perhaps a little attention when you have a birthday,
[25:17.510 --> 25:20.650]  you need to give them an account number to transfer the money to.
[25:24.790 --> 25:34.890]  So, it's not very realistic. So, I thought, what if I had a dedicated account for receiving money?
[25:35.490 --> 25:43.690]  That could work for me specifically. But for people who have a shared economy
[25:43.690 --> 25:52.970]  with someone else, married people or living with someone, or again teenagers,
[25:52.970 --> 26:01.930]  it would be completely normal and expected that other people, their parents or their spouse,
[26:01.930 --> 26:13.010]  know the account number. I could have paid with cash instead of with my card.
[26:15.730 --> 26:25.330]  That would have worked until March 2020. Because March 2020, the COVID-19 virus hit Norway
[26:26.260 --> 26:33.990]  and a lot or actually most stores stopped accepting physical payment money
[26:35.610 --> 26:42.530]  because they were afraid that the COVID-19 virus would be transferred via the money.
[26:42.870 --> 26:56.770]  So, it's card only. I could have chosen not to shop at that particular grocery store chain.
[26:59.130 --> 27:05.310]  But unfortunately, that particular one together with the other one that I mentioned also have
[27:05.310 --> 27:16.010]  the same app. Together they have a 76% market share. And in Norway, well, I live in, let's call
[27:16.010 --> 27:25.430]  it a large town where not a lot of people, but we are enough people that I have a choice. I could
[27:25.430 --> 27:33.650]  have bought my lunch somewhere else. But in a lot of towns spread around Norway, you only have one
[27:33.650 --> 27:48.570]  or two shops and probably one or two of those specific stores. Now, I did discover that when
[27:48.570 --> 27:55.450]  I started to register my own card in the application, I got an error message that says
[27:55.450 --> 28:01.210]  that this card is already registered. It meant that they had some kind of control mechanism
[28:01.210 --> 28:08.790]  so that only one person would register the account number and my significant other already
[28:08.790 --> 28:15.890]  had registered the account number. So, I couldn't. I did, of course, verify this.
[28:15.890 --> 28:25.110]  I verified by asking some friends if they would allow me to stalk them for a while.
[28:25.350 --> 28:32.690]  And because my friends are my friends and know what I do, they said yes. So, I stalked my friends
[28:32.690 --> 28:44.300]  to verify that the application actually worked the way I suspected. Yes. But to sum it up,
[28:45.480 --> 28:51.060]  I can't really protect myself from this kind of stalkerware. I can protect myself from the
[28:51.060 --> 29:00.020]  classical type by changing all my devices, by having dumb phones, you know. I can protect
[29:00.020 --> 29:08.820]  myself from the other type, the stalkerware as a service, by not registering anywhere.
[29:08.820 --> 29:14.660]  But this type I cannot protect myself against. Not even in theory.
[29:16.260 --> 29:24.600]  It's not practical. It's not possible. And because, unfortunately, I do think there are
[29:24.600 --> 29:35.220]  other applications that rely on different kind of not really secrets. And I can't keep up with that.
[29:36.120 --> 29:42.000]  In reality, I wouldn't know if someone tried stalking me this way,
[29:42.000 --> 29:49.540]  unless they did something to make me aware of it. Like asking me, where is the tea?
[29:51.890 --> 29:57.870]  But I'm not giving up. So, what do I do? Well,
[29:59.470 --> 30:09.730]  I realized that that grocery store chain, making stalkerware was probably not their primary
[30:10.770 --> 30:17.570]  business. They're not, not their intention. It's just something that happened as a side effect,
[30:17.570 --> 30:23.510]  because they were doing this side gig that was collecting data and trying to be cool and
[30:24.470 --> 30:35.250]  new and digital and so on. So, I contacted them and told them about this.
[30:40.090 --> 30:48.450]  So, I believe in responsible disclosure. Give companies a chance to fix their mess,
[30:48.450 --> 30:57.570]  and so it stops hurting people. In this case, I told them.
[30:58.350 --> 31:07.530]  We talked, I explained, it was nice. I gave them a limited time for them to fix the problem.
[31:08.110 --> 31:14.150]  I do work in software, with software development. So, I do have a rough idea of how much time would
[31:14.150 --> 31:19.210]  be reasonable, because I didn't want to give them forever, because you know what happens then.
[31:20.170 --> 31:28.790]  So, halfway through my deadline, I follow up and ask how are things going,
[31:28.790 --> 31:35.010]  how's the progress, just in case they for some reason needed extra time.
[31:36.290 --> 31:43.180]  Well, they thanked me.
[31:44.060 --> 31:51.420]  And then they gave me a bounty, which is nice and super rare, that never happens in Norway.
[31:51.440 --> 32:02.360]  And then they did nothing. Nothing. They decided it was more convenient to keep things the way
[32:03.200 --> 32:13.340]  it was. When they decided not to fix things, I had to decide if I wanted to warn the victims.
[32:14.300 --> 32:24.190]  Now, warning victims meant going public. Going public is not all cool and fun,
[32:25.000 --> 32:30.890]  because if I didn't reach out enough, I wouldn't be warning victims.
[32:30.890 --> 32:35.870]  I would be giving harmful people another tool to be cruel.
[32:38.310 --> 32:45.150]  So, I had to think about it. In addition, it has a personal cost, because as I mentioned,
[32:45.150 --> 32:50.980]  I'm a consulted tester. Companies hire me to test their software.
[32:51.880 --> 32:59.360]  If I made waves, they may see me as a troublemaker and not hire me in the future. So,
[33:00.100 --> 33:04.020]  that is also something I had to think about. Was it worth the risk?
[33:08.270 --> 33:16.290]  I decided it would be worth the risk. I contacted a journalist that I know understands technology.
[33:16.970 --> 33:23.790]  He worked at the Norwegian Broadcasting Corporation. It's a national news channel in Norway,
[33:23.790 --> 33:28.840]  it reaches around 80 to 89 percent of the adult population on a daily basis.
[33:30.650 --> 33:40.310]  And for a few hours in the morning, the case got the front page.
[33:40.550 --> 33:49.430]  And it was on heavy rotation in the news and on the radio. And that felt so good,
[33:49.430 --> 33:53.770]  because it meant that I got the outreach that I needed.
[33:57.050 --> 34:07.050]  The journalist was a good journalist, so he also called the company responsible for the app,
[34:07.630 --> 34:18.390]  and they had made a statement. But around 24 hours after this got published,
[34:18.390 --> 34:25.370]  they decided to close the feature that was facilitating stalking.
[34:25.830 --> 34:31.270]  And that was even better. That was a real win, because it meant that this software
[34:31.270 --> 34:42.430]  was no longer harming people. Unfortunately, this was only one out of two that was using the same
[34:42.430 --> 34:48.950]  software. And the other people, they were also asked for a statement, and they decided
[34:50.510 --> 34:56.990]  they didn't want to do something. They decided it was worth the risk, which is pretty unfair,
[34:56.990 --> 35:04.150]  because they're not really risking anything. They're taking a risk on other people's behalf.
[35:05.370 --> 35:11.190]  But anyway, they decided they wanted to wait and see what happened, and whether or not
[35:11.970 --> 35:22.050]  the first company would get a GDPR fine. Like, they had to pay to the authorities.
[35:26.030 --> 35:32.570]  Yeah. So,
[35:32.570 --> 35:38.430]  the Trumf app in Logiskruppen still has the issue, as far as I know.
[35:39.050 --> 35:42.210]  In addition, there was a lot of parking apps.
[35:42.210 --> 35:50.070]  It came up as a part of the discussion that followed going public with the app feature,
[35:50.070 --> 35:54.690]  because people started telling me and others that, you know what, but my parking app is doing the
[35:54.690 --> 36:01.850]  same thing. I can add cars that I don't own. There's no verification. And I checked up on it,
[36:01.850 --> 36:09.170]  and several companies have been told and warned, and they as well just decided it was worth the
[36:09.170 --> 36:23.600]  risk. In other words, it wasn't worth the effort. Now, I'm not done.
[36:25.100 --> 36:31.500]  And neither are you. So, if you find this stuff out in the wild, please do something about it.
[36:32.020 --> 36:39.680]  I suggest, first, tell the owners or makers. They're not always the same people.
[36:39.680 --> 36:48.780]  So, give them a proper, clear explanation. Include some abuse scenarios. You can use some
[36:48.780 --> 36:56.920]  of the ones that I mentioned, because they don't always get the problem. They just see
[36:58.120 --> 37:03.320]  somebody contacting us, wanting us to do and spend money and time on something. So,
[37:03.320 --> 37:09.240]  you really need to be clear about it. If there's an authority you should be notified, notify them.
[37:10.040 --> 37:15.840]  In Norway, we do have an authority. It's called the Datatilsina. I'm sorry,
[37:15.840 --> 37:25.960]  I don't know the English translation. And I did tell the creators and owners of the app
[37:26.480 --> 37:32.760]  that they had to notify Datatilsina themselves, because that's how it should work.
[37:32.760 --> 37:43.260]  And they did. But most importantly, educate yourself and others around you,
[37:43.260 --> 37:55.600]  so that you don't unintentionally make stock aware. And if it's worth it, go public.
[37:56.810 --> 37:59.910]  After you've done a responsible disclosure.
[38:00.890 --> 38:09.750]  And after going public, if that didn't work, you know what? Shame them. Shame the companies
[38:09.750 --> 38:23.420]  that refuse to be decent. Tell people about it for a long time. Now, first step in educating
[38:23.420 --> 38:31.060]  yourself is to look up these two eras. They're both badass. Read the article that is mentioned
[38:31.060 --> 38:38.400]  here. And please watch the video. It's good. I'll make sure that the links are published
[38:38.400 --> 38:47.400]  somewhere related to this talk. And if you're still ready for more, after reading the article
[38:47.400 --> 38:55.160]  and watching the video, I recommend the collection that the Vice Media Group made.
[38:55.800 --> 39:01.460]  It's called When Spies Come Home. And it's a good collection of articles
[39:02.220 --> 39:08.140]  around that shows the problem with stock aware, really. Yeah.
[39:09.580 --> 39:13.020]  And if you have questions, let me know.
[39:16.360 --> 39:24.260]  Thank you for your time and for your patience. I hope you're as pissed off as I am.
[39:37.300 --> 39:41.460]  That was Next Level Stock Aware. Thank you again to Cecilia and Vianne.
[39:41.460 --> 39:46.580]  We are very thankful to have you here. So, our speaker is now here for a live Q&A. So,
[39:46.580 --> 39:52.720]  please put any of your questions in the Discord CPV Q&A channel. Currently, we have one question
[39:52.720 --> 40:00.460]  so far. Speaking of child protection from the commenter, I am in Utah. A bit of a bubble over
[40:00.460 --> 40:05.620]  here. What is right about deploying stock aware against a child and wrong about deploying it
[40:05.620 --> 40:13.180]  against an adult? Okay. So, one of the difference between being an adult and a child is that
[40:13.180 --> 40:20.680]  children learn to make good decisions. And if you want to teach your children to make good decisions,
[40:20.680 --> 40:26.320]  you need to give them the space to actually do it. And privacy is a part of that. And as they
[40:26.320 --> 40:31.260]  are growing and become more and more independent and have more and more independent opinion
[40:31.260 --> 40:40.900]  and experiences, they also need more privacy. Because as I mentioned, not every parent is nice.
[40:40.900 --> 40:47.520]  And if we make sure that every child gets some kind of privacy, there is room to tell others
[40:47.520 --> 40:53.620]  that they're not fine. So, it's just like we really need to make sure that every child gets
[40:53.620 --> 40:59.100]  this and not just the children who have it nice at home. Because you can't really tell.
[40:59.900 --> 41:06.500]  And I'm aware there's some cultural differences when it comes to how independent and how much
[41:06.500 --> 41:16.900]  privacy a child can have. But in essence, from like from a pedagogic perspective,
[41:16.900 --> 41:21.860]  if you want your children to make good decisions, you have to give them the space for it.
[41:26.520 --> 41:32.710]  That is really, really lovely. And hopefully any future parents or current parents in here
[41:32.710 --> 41:40.090]  are listening to this and hear that thoughtful advice. We have another question also saying,
[41:40.090 --> 41:44.590]  I know Norway is already GDPR compliant. Is there anything policy related that you could
[41:44.590 --> 41:53.410]  push forward to combat stalkerware? Yes, there is. I did tell there's the
[41:55.630 --> 42:01.550]  hang on, let me remember what they're called. It's like authorities for computer and digital.
[42:02.090 --> 42:08.850]  They have a very complicated name. But anyway, and they are the ones who are handling all GDPR
[42:09.390 --> 42:15.250]  complaints and issues. And they also have a mandate to give out fines, for instance.
[42:16.830 --> 42:23.810]  And Norway, you're supposed to tell, you know, confess if you have an incident that is related
[42:23.810 --> 42:28.710]  to privacy. And I did tell the company that I was in contact with and told them, you know what,
[42:28.710 --> 42:33.510]  you really have to do this yourself. Because if I tell them, it's going to be very bad.
[42:33.770 --> 42:39.850]  And they told them. And when I went public, they said that, well, we have to look into it again,
[42:39.850 --> 42:45.190]  because they were essentially just putting the case in the bottom. And just like,
[42:45.190 --> 42:50.290]  yeah, because of the way that the company had displayed the situation, because they said like,
[42:50.290 --> 42:56.250]  it's not really a big issue at all. It's like one person and so on. And when I went public and
[42:56.250 --> 43:03.790]  issue was like revealed, they were like, oh, we have to pick this up again. So I expect
[43:05.270 --> 43:11.250]  in, but it will probably take like six months to a year before they actually will make a proper
[43:11.250 --> 43:19.090]  legal statement and, you know, serve a fine related to this. And that is the thing that
[43:19.090 --> 43:26.510]  the other company is waiting for. The one that's not changed their app. And but the authorities
[43:26.510 --> 43:34.930]  are great. It's just that they have a lot to do. So everything is super. We can definitely tell
[43:34.930 --> 43:42.890]  them just takes forever. And while we're waiting, more people are being hurt. So I just, yeah,
[43:42.890 --> 43:49.070]  it's frustrating. Oh, gosh, that is quite a lot of time for things happen.
[43:49.090 --> 43:57.050]  Yes, we have another comment with some context behind it for US context. Here in the US,
[43:57.050 --> 44:01.930]  some cities are requiring all stores to accept cash, because many people don't have credit cards.
[44:01.930 --> 44:07.250]  Would you recommend using cash whenever buying sensitive items? Yes, I would.
[44:08.410 --> 44:15.910]  I definitely would. And if you don't have cash, or like the situation is now where some stores
[44:15.910 --> 44:23.250]  will not accept cash, ask a friend you trust to pay for you. If you have reason to suspect,
[44:23.250 --> 44:32.980]  or if you are sensitive about whether you're buying. That's a really interesting point.
[44:36.120 --> 44:40.840]  At the moment, I don't think we have any more further questions from the discord.
[44:40.980 --> 44:46.780]  Thank you so much again, Cecilia, for joining us today. And for your really lovely talk.
[44:46.780 --> 44:47.960]  Please take care and...
